What Are The Most Impactful Tips For Educating My Employees About Cybersecurity?

Just how important it really is, however, is not clear to many, and is putting numerous businesses at unnecessary risk.

Fortunately, raising the cybersecurity education level of your employees does not have to be overly expensive or difficult.

The magnitude of the issue can be seen from just a few numbers. The latest statistics available from the IBM X-Force Threat Intelligence Index show that inadvertent insider actions were responsible for more than two-thirds of all records compromised in 2017.

Avoiding those inadvertent insider actions is largely a matter of knowing what those inadvertent actions are, and why they are taken. Educate employees about them, as well as what to do if they suspect a breach or risk of a breach, formulate effective policies, and establish good communication practices, and your cybersecurity stance can be significantly improved with the technology you already have.

Stay up-to-date on the latest security trends for websites, stores or applications. Subscribe to the Liquid Web weekly newsletter.

To help get you started the Helpful Humans at Liquid Web have shared a few of their top broadly applicable tips for how to educate employees about cybersecurity.

Phishing is a common threat vector for businesses of all sizes and generally relies on an employee providing information or clicking a link to what they think is a trusted party, but is, in fact, a fraudster.

While phishing techniques are becoming more sophisticated, the general principles that guard employees and the businesses they work for against them are still the same.

Keep these guidelines in mind:

Do not provide information of any kind or act on an email (such as by clicking a link) unless you are certain of who you are communicating with

Don’t open email from an email address you don’t know

Do not freely give out company information over the phone

Be aware of what constitutes a suspicious request, such as any request for account credentials

What To Do

Employees should also know what procedures they’re expected to follow if they suspect they have been targeted by a common attack method. Even at small organizations that do not have IT teams blocking specific IPs or adjusting firewall rules, information should be shared immediately, so that the first time the fraudulent communication is detected is the only time needed.

Every employee should know to cease communication, turn off their device, and follow the notification procedure, which should specify who to tell and the fastest way to do so.

Strong Security Means Good Policies

Set out policies to drive the procedures.Clearly defined policies not only ensure that employees know what to do but can also in some cases be written directly into the filtering systems of security tools, as in the case of firewall blacklists.

What Policies Do You Need?

There are a number of areas in which policies should be considered. Consult the best practices associated with your industry and seek the advice of an experienced service provider. These basic policy areas apply to practically all organizations.

Stronger Authentication

Require strong passwords or 2FA as a matter of policy. Weak passwords continue to be a commonly exploited security vulnerability, and as frequent data breaches expose more and more credentials, the problem will only get worse. NIST recommends multi-factor authentication (2FA), based on a combination of a long passphrase and a second factor.

The standards body’s Special Publication 800-63-3: Digital Authentication Guidelines suggests methods such as multi-factor OTP (one-time passwords), in which a multi-factor OTP is transmitted to a device like a smartphone after being activated by a knowledge factor like a password, or an inherence factor like a biometric fingerprint.

This prevents a single breached credential from causing extensive harm to your business. An authentication policy also shows employees the organization is serious about security.

Data Protection

Some types of data are more sensitive than others, but all organizations have documents or other data they do not want publicly shared, and therefore need a data protection policy. If sensitive data, such as proprietary company information, customer’s personal data, or payment information are stored, implement clear rules about how that data is stored, how long it is stored for, and what happens when it is no longer needed.

Common data storage policies include rules for encrypting data so that in the event it is exposed or breached it will not be readable, as well as rules for limiting access to data based on its sensitivity.

Access to data should be limited to only those employees or third parties that require it, in what is called the principle of least privilege. This often means building different levels of privilege into logical access controls.

Testing

Put your employees – and your training – to the test. Some large businesses hire white-hat hackers to conduct penetration testing, but there are many ways to test the cybersecurity awareness of your employees.

You can challenge your employees by simulating a phishing email or social engineering attack. This provides practice, information, and helps employees keep the very real risks of fraud and hacking in mind.

Communication

The above tips all hinge on information about potential security threats flowing freely between employees and IT decision-makers, as well as to and from service providers. This is because attack methods, software vulnerabilities, and security technology all change constantly, and keeping up is part of keeping cyber safe.

Dedicated Meetings

Set aside time specifically for cybersecurity education and updates. Many businesses try to conduct cybersecurity communication or training by tacking it on at the end of meetings for core operational topics.

While this may seem like the convenient way to do it, the topic tends to end up getting put off or short-changed. People anxious to leave for lunch or the weekend might be given quick verbal reminders or barely-reviewed materials, which are often ignored, and the organization’s risk mounts.

Setting aside time specifically to formulate, pass on, and review the appropriate information and policies ensures that it is not put off until it is too late.

Establish a clear notification process, setting out how suspicions are communicated to the person responsible for cybersecurity, how they are vetted, and finally, how they are communicated to the rest of the organization.

Also assure your employees that they are expected to report their suspicions, not evaluate every potential threat. That means false alarms will happen, and they should not hesitate to follow the notification policy for fear of being wrong.

Employees who are educated about cybersecurity are empowered to act in defense of the organization, rather than being a target for cybercriminals.

Combined with the security tools of a trusted service provider that rapidly provides expert human guidance, employees can keep threat response time to a minimum, and help protect sensitive data from any kind of attack.

Need Help With Security?

Liquid Web provides a suite of security tools to help you as you put together your policies, procedures, and communication strategy with your team, including our Firewalls; VPNs; Server, Data, and Web Application Protection; and DDoS Attack Prevention.

About the Author

Josh has worked at Liquid Web for over 4 years, starting out in the support team and moving up to his current position as a Cybersecurity Engineer. Josh is always on the hunt for the latest security-related issues and loves to share his knowledge with others.